HSTS Strict-Transport-Security Error — HTTPS Enforcement and Preload Issues

Fix HTTP Strict-Transport-Security (HSTS) errors including redirect loops, preload list issues, and certificate problems that block site access. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: HSTS forces browsers to use HTTPS for all future requests to the domain after the first visit. Once HSTS is set, browsers refuse to connect over HTTP and will not allow certificate exceptions. HSTS preload list inclusion makes the policy permanent — removal takes months. The max-age directive sets how long (in seconds) the browser enforces HTTPS-only access. Including includeSubDomains affects all subdomains, which can break non-HTTPS subdomains. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: HSTS header set with includeSubDomains but some subdomains do not have valid SSL certificates. Site added to HSTS preload list but later needs to serve HTTP content or downgrade. SSL certificate expired on a domain with HSTS enabled — browsers block access entirely with no bypass. HSTS redirect loop caused by HTTP-to-HTTPS redirect combined with incorrect HSTS configuration. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Ensure all subdomains have valid SSL certificates before adding includeSubDomains directive. Start with a short max-age (300 seconds) and gradually increase after confirming HTTPS works everywhere. Clear HSTS cache in the browser for testing: chrome://net-internals/#hsts (delete domain security policies). Fix SSL certificate issues before enabling HSTS — you cannot bypass certificate errors with HSTS active. Only submit to the HSTS preload list after confirming HTTPS works perfectly on the domain and all subdomains. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.